- Incident Responder i56 Release Notes
- What's New
- Known Issues
- Issues Fixed in Incident Responder i56.5 (General Availability)
- Issues Fixed in Incident Responder i56.6
- Issues Fixed in Incident Responder i56.7
- Issues Fixed in Incident Responder i56.8
- Issues Fixed in Incident Responder i56.9
- Issues Fixed in Incident Responder i56.10
- Issues Fixed in Incident Responder i56.11
- Issues Fixed in Incident Responder i56.12
- Issues Fixed in Incident Responder i56.13
- Issues Fixed in Incident Responder i56.14
- Get Started with Incident Responder
- Configure Incident Responder Settings
- Core Settings
- Analytics Settings
- Configure Services
- Prerequisites for Configuring Incident Responder Microsoft Services with OAuth2.0 Authentication
- Configure the Amazon Elastic Compute Cloud (EC2) Service
- Configure the Anomali ThreatStream API Service
- Configure the Atlassian Jira Service
- Configure the BMC Remedy Service
- Configure the Check Point Firewall Service
- Configure the Cisco AMP for Endpoints Service
- Configure the Cisco Services Engine (ISE) Service
- Configure the Cisco Threat Grid Service
- Configure the Cisco Umbrella Enforcement Service
- Configure the Cisco Umbrella Investigate Service
- Configure the CrowdStrike Falcon Host API Service Service
- Configure the CyberArk Service
- Configure the Cylance Protect Service
- Configure the Exabeam Advanced Analytics Service
- Configure the Exabeam DL Service
- Configure the FireEye HX Service
- Configure the Fortinet Service
- Configure the Google Gmail Service
- Configure the IntSights Cyber Intelligence Ltd. Service
- Configure the IRNotificationSMTPService Service
- Configure the Microsoft Active Directory (AD) (Latest) Service
- Configure the Microsoft Exchange Service
- Configure the Microsoft Outlook Office 365 Service
- Configure the Microsoft Windows Defender ATP Service
- Configure the Microsoft Windows Management Instrumentation Service
- Configure the Netskope Service
- Configure the Okta Service
- Configure the Palo Alto Networks Firewall Service
- Configure the Palo Alto Networks Wildfire Service
- Configure the Rapid7 insightVM Service
- Configure the SentinelOne Service
- Configure the SentinelOneV2 Service
- Configure the Service Now Service
- Configure the Slack Service
- Configure the SlashNext Service
- Configure the Splunk Service
- Configure the ThreatConnect API Service
- Configure the Urlscan.io API Service
- Configure the VirusTotal Service
- Configure the Zscaler Service
- Test a Service
- Edit a Service
- Disable a Service
- Upload a Custom Service
- Delete a Custom Service
- Create an Email Template for the Notify by Email Action
- Respond to Security Incidents
You use a filter node to filter out a subset of the input source, based on conditions you specify when you configure the node. The filter node outputs the remaining subset and passes it on to the next node. The next node only evaluates this remaining subset. For example, you can use a filter node to remove:
Normal domains, so the next node evaluates malicious domains only.
Allow listed URLs, so the next node evaluates block listed URLs only.
Email attachments with a risk score below 90, so the next node evaluates attachments with a risk score above 90 only.
IP addresses from other countries, so the next node evaluates IP addresses from a specific country only.
To evaluate a single value, add a decision node.
From one node, add another node, then select FILTER.
Select an input source. You can select between the fields, entities, or artifacts in the incident or the output from a previous node.
Select an operator:
Equals – Checks if values are equal.
Not Equal To – Checks if values are not equal.
Contains – Checks if values partially match.
Not Contains – Checks if values do not match.
Is Empty – Checks if incident field doesn't have an assigned value.
Exists – Checks if incident field has an assigned value.
Starts With – Checks if string data type starts with a specified value.
Not Starts With – Checks if string data type doesn't start with a specified value.
Ends With – Checks if string data type ends with a specified value.
Not Ends With – Checks if string value doesn't end with a specified value.
In – Checks if value is in a specified list.
Not In – Checks if value is not in a specified list.
Matches – Checks if values match exactly.
Not Matches – Checks if values don't match exactly.
Greater Than – Checks if value is greater than a specified value.
(Optional) If relevant, enter or select a value.
Click SAVE.
(Optional) Add an additional condition to the filter node. You can't use both in one filter node; you must choose one or the other.
To add an or condition, select +OR.
To add an and condition, select +AND.
To change a condition from one to the other, select the down arrow next to it, then select the appropriate condition.
To close the panel, click anywhere in the interface. If there is a red border around the node, you have not configured one or more necessary fields.